20029192 Userland should build with ld -z sx=nx* flags instead of map.noexstk
23118364 Enable ADIHEAP on security sensitive binaries
23118359 Build openssh as PIE
--- a/components/apache24/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/apache24/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -48,6 +48,10 @@
# to build modules.
LDFLAGS += $(CC_BITS)
+# Enable adiheap and adistack security extensions
+ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+ADISTACK_MODE = $(ADISTACK_ENABLE)
+
PATCH_LEVEL=0
# We will build two separate mod_ssl versions.
--- a/components/bind/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/bind/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -97,6 +97,10 @@
# Uncomment to display summary of tests at completion.
# COMPONENT_POST_TEST_ACTION = $(NAWK) $(summarize) $(COMPONENT_TEST_OUTPUT)
+# Enable adiheap and adistack security extensions
+ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+ADISTACK_MODE = $(ADISTACK_ENABLE)
+
.PHONY: test-named-version test-summary test-clean
# summarize is a nawk script:
# consumes the output generated by ISC's make target and provides an
--- a/components/bzip2/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/bzip2/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -45,6 +45,10 @@
# we need to enable large file support and build PIC for our shared libraries
CFLAGS += $(CPP_LARGEFILES) $(CC_PIC)
+# Enable adiheap and adistack security extensions
+ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+ADISTACK_MODE = $(ADISTACK_ENABLE)
+
COMPONENT_BUILD_ENV += CC="$(CC)"
COMPONENT_BUILD_ARGS += CC="$(CC)"
COMPONENT_BUILD_ARGS += CFLAGS="$(CFLAGS)"
--- a/components/cmake/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/cmake/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -64,6 +64,11 @@
# when testing on sparc
LD_MAP_NOEXBSS.sparc=
+# map.noexbss has the side effect of making the heap non executable.
+# Reflect the setting above explicitly disabling NXHEAP.
+NXHEAP_MODE = $(NXHEAP_DISABLE)
+
+
# We need these in the environment, although they are already passed
# as CONFIGURE_OPTIONS; otherwise the correct compilers are not used
CONFIGURE_ENV += MAKE="$(GMAKE)"
--- a/components/curl/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/curl/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -44,6 +44,10 @@
CPPFLAGS += `pkg-config --cflags libidn`
CPPFLAGS += "-I/usr/include/openldap"
+# Enable adiheap and adistack security extensions
+ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+ADISTACK_MODE = $(ADISTACK_ENABLE)
+
CONFIGURE_OPTIONS += --localstatedir=$(VARDIR) --enable-shared --disable-static
CONFIGURE_OPTIONS += --enable-http --enable-ftp
CONFIGURE_OPTIONS += --enable-file --enable-dict
--- a/components/cvs/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/cvs/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -41,6 +41,10 @@
CFLAGS += -D__ATTRIBUTE_DISABLED
CONFIGURE_OPTIONS += --with-external-zlib
+# Enable adiheap and adistack security extensions
+ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+ADISTACK_MODE = $(ADISTACK_ENABLE)
+
# need gnu grep
COMPONENT_TEST_ENV += PATH=$(GNUBIN):$(PATH)
# "check" is not working yet. It's asking for a password.
--- a/components/emacs/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/emacs/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -66,7 +66,6 @@
# LD_OPTIONS is defined to apply desirable link-editor options to Userland
# components. Non-executable stack and data break sparc emacs.
#
-LD_MAP_NOEXSTK.sparc=
LD_MAP_NOEXDATA.sparc=
# Uncomment this for debugging only. It configures emacs to run from the
@@ -112,17 +111,12 @@
# emacs is not network facing, or run with elevated privileges, this is
# not a security concern.
#
-# As with ASLR, ADIHEAP should be explicitly disabled for emacs, as the
-# dumped emacs cannot work with ADI. Recognizing that ASLR_MODE could really
-# be SX_MODE, and generalized to handle all the sxadm extensions, redefine
-# it here to handle both cases. It is expected that in due course, the
-# Userland framework will evolve in this direction.
-#
-ifeq ($(OS_VERSION), 5.11)
+# Similarly, emacs cannot cope with a non-executable stack and with a protected
+# and non-executable heap.
ASLR_MODE = $(ASLR_DISABLE)
-else
-ASLR_MODE = -z sx=aslr=disable,adiheap=disable
-endif
+NXHEAP_MODE = $(NXHEAP_DISABLE)
+NXSTACK_MODE = $(NXSTACK_DISABLE)
+ADIHEAP_MODE = $(ADIHEAP_DISABLE)
# variant specific configure options
$(BUILD_DIR)/%-nox/.configured: CONFIGURE_OPTIONS += --without-all --without-x
--- a/components/fetchmail/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/fetchmail/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -35,6 +35,10 @@
TPNO= 29615
+# Enable adiheap and adistack security extensions
+ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+ADISTACK_MODE = $(ADISTACK_ENABLE)
+
include $(WS_MAKE_RULES)/common.mk
CONFIGURE_OPTIONS += PYTHON="$(PYTHON.2.7.32)"
--- a/components/gcc4/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/gcc4/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -71,6 +71,15 @@
# /usr/lib/ld/map.noexbss destroys SPARC
LD_MAP_NOEXBSS.sparc=
+# Mapfiles map.noexdata and map.noexbss mark the data + bss and bss
+# segments non executable on x86 and SPARC respectively. The protection
+# extends to the heap segment, if the heap is brk based, as is the case
+# with gcc. Since the introduction of NXHEAP, this is controlled
+# separately by the NXHEAP extension itself. Whether the heap should be
+# executable or not should be reevaluated. For now, try to avoid
+# "destruction" as hinted above.
+NXHEAP_MODE = $(NXHEAP_DISABLE)
+
# for some reason the fixincludes target fails with bash on Solaris.
CONFIG_SHELL = /bin/sh
MAKESHELL = /bin/sh
--- a/components/gcc5/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/gcc5/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -68,6 +68,15 @@
# /usr/lib/ld/map.noexbss destroys SPARC
LD_MAP_NOEXBSS.sparc=
+# Mapfiles map.noexdata and map.noexbss mark the data + bss and bss
+# segments non executable on x86 and SPARC respectively. The protection
+# extends to the heap segment, if the heap is brk based, as is the case
+# with gcc. Since the introduction of NXHEAP, this is controlled
+# separately by the NXHEAP extension itself. Whether the heap should be
+# executable or not should be reevaluated. For now, try to avoid
+# "destruction" as hinted above.
+NXHEAP_MODE = $(NXHEAP_DISABLE)
+
# for some reason the fixincludes target fails with bash on Solaris.
CONFIG_SHELL = /bin/sh
MAKESHELL = /bin/sh
--- a/components/gzip/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/gzip/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -32,6 +32,10 @@
TPNO= 28039
+# Enable adiheap and adistack security extensions
+ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+ADISTACK_MODE = $(ADISTACK_ENABLE)
+
INSTALL_TARGET=
SYSTEM_TEST_TARGET= configure $(SYSTEM_TEST_64)
include $(WS_MAKE_RULES)/gnu-component.mk
--- a/components/imagemagick/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/imagemagick/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -40,6 +40,11 @@
TPNO= 29915
+# Enable adiheap security extension.
+# adistack fails with libgcc exception unwinding code.
+ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+ADISTACK_MODE = $(ADISTACK_DISABLE)
+
include $(WS_MAKE_RULES)/common.mk
PATH=$(SPRO_VROOT)/bin:$(USRBINDIR):$(GNUBIN)
--- a/components/isc-dhcp/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/isc-dhcp/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -49,6 +49,10 @@
COMPONENT_PRE_CONFIGURE_ACTION = \
($(CLONEY) $(SOURCE_DIR) $(@D))
+# Enable adiheap and adistack security extensions
+ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+ADISTACK_MODE = $(ADISTACK_ENABLE)
+
# Some patches need configure script re-creation.
COMPONENT_PREP_ACTION +=(cd $(@D); autoreconf -vfi);
--- a/components/mutt/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/mutt/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -34,6 +34,10 @@
TPNO= 29951
+# Enable adiheap and adistack security extensions
+ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+ADISTACK_MODE = $(ADISTACK_ENABLE)
+
TEST_TARGET= $(NO_TESTS)
include $(WS_MAKE_RULES)/common.mk
--- a/components/ncftp/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/ncftp/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -36,6 +36,10 @@
TPNO= 24893
+# Enable adiheap and adistack security extensions
+ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+ADISTACK_MODE = $(ADISTACK_ENABLE)
+
TEST_TARGET= $(NO_TESTS)
include $(WS_MAKE_RULES)/common.mk
--- a/components/openldap/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/openldap/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -113,6 +113,10 @@
COMPONENT_BUILD_ENV += LTCFLAGS="-m$(BITS)"
COMPONENT_INSTALL_ENV += LD_UNSET="$(LD_UNSET)"
+# Enable adiheap and adistack security extensions
+ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+ADISTACK_MODE = $(ADISTACK_ENABLE)
+
# special targets due to dependency on cyrus-sasl
../cyrus-sasl/build/%/.installed:
(cd ../cyrus-sasl && $(GMAKE) install)
--- a/components/openscap/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/openscap/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -62,6 +62,10 @@
# XXX This shouldn't be necessary, but is; investigate why.
CFLAGS += -D_FILE_OFFSET_BITS=64
+# Enable adiheap and adistack security extensions
+ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+ADISTACK_MODE = $(ADISTACK_ENABLE)
+
# Perl related patch needs configure script recreation.
COMPONENT_PREP_ACTION +=(cd $(@D); autoreconf);
--- a/components/openssh/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/openssh/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -75,8 +75,13 @@
# libraries that it needs.
LDFLAGS += $(LD_B_DIRECT) -z nolazyload
-# Enable nxheap and nxstack security extensions
-LDFLAGS += -z nxheap=enable -z nxstack=enable
+# Enable adiheap and adistack security extensions
+ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+ADISTACK_MODE = $(ADISTACK_ENABLE)
+
+# Build PIE
+CC_PIC_MODE = $(CC_PIC_ENABLE)
+LD_Z_PIE_MODE = $(LD_Z_PIE_ENABLE)
# Fix 64-bit linking via compiler.
LDFLAGS += $(CC_BITS)
--- a/components/openssh/network-ssh.p5m Thu Nov 03 22:18:09 2016 -0700
+++ b/components/openssh/network-ssh.p5m Fri Nov 04 05:32:50 2016 -0700
@@ -21,6 +21,8 @@
# Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved.
#
<transform file path=usr.*/man/.+ -> default mangler.man.stability "Pass-through Uncommitted">
+# pie executables confuse this pkglint check due to bug 24457293
+<transform file path=usr/bin/.+ -> default pkg.linted.userland.action001.2 True>
set name=pkg.fmri \
value=pkg:/network/ssh@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
set name=pkg.summary value="OpenSSH client and associated utilities"
--- a/components/openssh/service-network-ssh.p5m Thu Nov 03 22:18:09 2016 -0700
+++ b/components/openssh/service-network-ssh.p5m Fri Nov 04 05:32:50 2016 -0700
@@ -21,6 +21,8 @@
# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
#
<transform file path=usr.*/man/.+ -> default mangler.man.stability "Pass-through Uncommitted">
+# pie executables confuse this pkglint check due to bug 24457293
+<transform file path=usr/lib/ssh/.+ -> default pkg.linted.userland.action001.2 True>
set name=pkg.fmri \
value=pkg:/service/network/ssh@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
set name=pkg.summary value="OpenSSH servers and SSH (Secure Shell) services"
--- a/components/postfix/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/postfix/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -58,6 +58,10 @@
CCARGS += -DHAS_LDAP -I/usr/include/openldap
AUXLIBS += -lldap_r-2.4 -llber-2.4
+# Enable adiheap and adistack security extensions
+ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+ADISTACK_MODE = $(ADISTACK_ENABLE)
+
# pcre-config is run as part of the setup, so we need to find the 64-bit
# version so it will provide a 64-bit runpath, o/w pkglint gives warnings.
PATH = $(USRBINDIR64):$(USRBINDIR):$(GNUBIN)
--- a/components/procmail/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/procmail/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -36,6 +36,10 @@
TPNO= 9003
+# Enable adiheap and adistack security extensions
+ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+ADISTACK_MODE = $(ADISTACK_ENABLE)
+
BUILD_STYLE= justmake
TEST_TARGET= $(NO_TESTS)
include $(WS_MAKE_RULES)/common.mk
--- a/components/proftpd/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/proftpd/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -56,6 +56,10 @@
PUBLISH_STAMP=
endif
+# Enable adiheap and adistack security extensions
+ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+ADISTACK_MODE = $(ADISTACK_ENABLE)
+
# libcheck and specific Perl Test::Unit version is required for full test
TEST_TARGET= $(SKIP_TEST)
include $(WS_MAKE_RULES)/common.mk
--- a/components/samba/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/samba/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -92,6 +92,10 @@
CPPFLAGS += $(CPP_XPG6MODE)
CPPFLAGS += -I/usr/include/openldap
+# Enable adiheap and adistack security extensions
+ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+ADISTACK_MODE = $(ADISTACK_ENABLE)
+
LDFLAGS += -m$(BITS)
LDFLAGS += -R/usr/lib/samba$(MACHLIBDIR)
LDFLAGS += -R/usr/lib/samba/private$(MACHLIBDIR)
@@ -105,6 +109,7 @@
CONFIGURE_OPTIONS += --bindir=/usr/lib/samba/bin
CONFIGURE_OPTIONS += --sbindir=/usr/lib/samba/sbin
CONFIGURE_OPTIONS += --libdir=/usr/lib/samba$(MACHLIBDIR)
+
CONFIGURE_OPTIONS += --with-privatelibdir=/usr/lib/samba/private$(MACHLIBDIR)
CONFIGURE_OPTIONS += --sysconfdir=/etc/samba
CONFIGURE_OPTIONS += --with-pammodulesdir=/usr/lib/samba/security$(MACHLIBDIR)
--- a/components/screen/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/screen/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -32,6 +32,10 @@
TPNO= 29565
+# Enable adiheap and adistack security extensions
+ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+ADISTACK_MODE = $(ADISTACK_ENABLE)
+
TEST_TARGET= $(NO_TESTS)
include $(WS_MAKE_RULES)/gnu-component.mk
--- a/components/sendmail/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/sendmail/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -37,6 +37,10 @@
TPNO= 23958
+# Enable adiheap and adistack security extensions
+ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+ADISTACK_MODE = $(ADISTACK_ENABLE)
+
# Mostly but not completely migrated from ON in S12.
ifeq ($(BUILD_TYPE), evaluation)
BUILD_32_and_64=
--- a/components/squid/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/squid/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -38,6 +38,10 @@
TPNO= 28337
+# Enable adiheap and adistack security extensions
+ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+ADISTACK_MODE = $(ADISTACK_ENABLE)
+
TEST_TARGET= $(TEST_64)
include $(WS_MAKE_RULES)/common.mk
--- a/components/sudo/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/sudo/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -47,6 +47,10 @@
LDFLAGS += $(CC_BITS)
LDFLAGS += -lldap_r-2.4
+# Enable adiheap and adistack security extensions
+ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+ADISTACK_MODE = $(ADISTACK_ENABLE)
+
# Allows zero-sized struct/union declarations and void functions with return
# statements returning a value to work.
CFLAGS += -features=extensions
--- a/components/tcpdump/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/tcpdump/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -34,6 +34,10 @@
TPNO= 22949
+# Enable adiheap and adistack security extensions
+ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+ADISTACK_MODE = $(ADISTACK_ENABLE)
+
include $(WS_MAKE_RULES)/common.mk
ifeq ($(OS_VERSION),5.11)
--- a/components/wget/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/wget/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -33,6 +33,10 @@
TPNO= 29459
+# Enable adiheap and adistack security extensions
+ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+ADISTACK_MODE = $(ADISTACK_ENABLE)
+
include $(WS_MAKE_RULES)/gnu-component.mk
# Keep just the final test report
--- a/components/wireshark/Makefile Thu Nov 03 22:18:09 2016 -0700
+++ b/components/wireshark/Makefile Fri Nov 04 05:32:50 2016 -0700
@@ -35,6 +35,10 @@
TPNO= 32120
+# Enable adiheap and adistack security extensions
+ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+ADISTACK_MODE = $(ADISTACK_ENABLE)
+
TEST_TARGET= $(NO_TESTS)
# Depends on newer cairo, which cannot be updated in S11.
--- a/make-rules/shared-macros.mk Thu Nov 03 22:18:09 2016 -0700
+++ b/make-rules/shared-macros.mk Fri Nov 04 05:32:50 2016 -0700
@@ -905,8 +905,10 @@
# Generic macro for PIC code generation. Use this macro instead of the
# compiler-specific variant.
-CC_PIC = $($(COMPILER)_PIC)
-
+CC_PIC = $($(COMPILER)_PIC)
+CC_PIC_ENABLE = $(CC_PIC)
+CC_PIC_DISABLE =
+CC_PIC_MODE = $(CC_PIC_DISABLE)
# Default GNU C compiler flags. Add the required feature to your Makefile
# with CFLAGS += $(FEATURE_MACRO) and add to the component build with
@@ -927,6 +929,10 @@
# Build 32 or 64 bit objects.
CFLAGS += $(CC_BITS)
+# Support building a binary PIE by building each unit PIC. To enable in
+# a makefile, add CC_PIC_MODE = $(CC_PIC_ENABLE)
+CFLAGS += $(CC_PIC_MODE)
+
# Add compiler-specific 'default' features
CFLAGS += $(CFLAGS.$(COMPILER))
CFLAGS += $(CFLAGS.$(COMPILER).$(BITS))
@@ -1006,22 +1012,91 @@
# use direct binding
LD_B_DIRECT = -Bdirect
-# use generic macro names for enabling/disabling ASLR
-ASLR_ENABLE = -zaslr=enable
-ASLR_DISABLE = -zaslr=disable
-ASLR_NOT_APPLICABLE = -zaslr=disable
+# build a PIE binary
+# to enable creating a PIE binary, add LD_Z_PIE_MODE = $(LD_Z_PIE_ENABLE)
+# to the component makefile, and ensure that it's built PIC (CC_PIC_ENABLE).
+LD_Z_PIE_ENABLE = -ztype=pie
+LD_Z_PIE_DISABLE =
+LD_Z_PIE_MODE = $(LD_Z_PIE_DISABLE)
+
+# generic macro names for enabling/disabling security extensions
+# -z<extname> is deprecated, but supported, on S12, in favor of
+# the more flexible -zsx=<extname> format. Security extensions which
+# are not supported on S11 use -zsx=<extname> by default.
+
+ifeq ($(OS_VERSION), 5.11)
+ASLR_ENABLE = -zaslr=enable
+ASLR_DISABLE = -zaslr=disable
+ASLR_NOT_APPLICABLE = -zaslr=disable
+
+NXSTACK_ENABLE = -znxstack=enable
+NXSTACK_DISABLE = -znxstack=disable
+NXSTACK_NOT_APPLICABLE = -znxstack=disable
+
+NXHEAP_ENABLE = -znxheap=enable
+NXHEAP_DISABLE = -znxheap=disable
+NXHEAP_NOT_APPLICABLE = -znxheap=disable
+else
+ASLR_ENABLE = -zsx=aslr=enable
+ASLR_DISABLE = -zsx=aslr=disable
+ASLR_NOT_APPLICABLE = -zsx=aslr=disable
-# Enable ASLR by default unless target build is NO_ARCH.
+NXSTACK_ENABLE = -zsx=nxstack=enable
+NXSTACK_DISABLE = -zsx=nxstack=disable
+NXSTACK_NOT_APPLICABLE = -zsx=nxstack=disable
+
+NXHEAP_ENABLE = -zsx=nxheap=enable
+NXHEAP_DISABLE = -zsx=nxheap=disable
+NXHEAP_NOT_APPLICABLE = -zsx=nxheap=disable
+
+ADIHEAP_ENABLE.sparcv9 = -zsx=adiheap=enable
+ADIHEAP_DISBLE.sparcv9 = -zsx=adiheap=disable
+ADIHEAP_ENABLE = $(ADIHEAP_ENABLE.$(MACH64))
+ADIHEAP_DISABLE = $(ADIHEAP_DISABLE.$(MACH64))
+
+ADISTACK_ENABLE.sparcv9 = -zsx=adistack=enable
+ADISTACK_DISABLE.sparcv9 = -zsx=adistack=disable
+ADISTACK_ENABLE = $(ADISTACK_ENABLE.$(MACH64))
+ADISTACK_DISABLE = $(ADISTACK_DISABLE.$(MACH64))
+endif
+
+# Enable ASLR, NXHEAP and NXSTACK by default unless target build is NO_ARCH.
ifeq ($(strip $(BUILD_BITS)),NO_ARCH)
-ASLR_MODE= $(ASLR_NOT_APPLICABLE)
+ASLR_MODE= $(ASLR_NOT_APPLICABLE)
+NXSTACK_MODE = $(NXSTACK_NOT_APPLICABLE)
+NXHEAP_MODE = $(NXHEAP_NOT_APPLICABLE)
+ADIHEAP_MODE =
+ADISTACK_MODE =
else
-ASLR_MODE= $(ASLR_ENABLE)
+ASLR_MODE = $(ASLR_ENABLE)
+NXSTACK_MODE = $(NXSTACK_ENABLE)
+NXHEAP_MODE = $(NXHEAP_ENABLE)
+ADIHEAP_MODE =
+ADISTACK_MODE =
endif
-# by default, turn on Address Space Layout Randomization for ELF executables;
+# by default, turn on Address Space Layout Randomization, non-executable
+# stack and non-executable heap for ELF executables;
# to explicitly disable ASLR, set ASLR_MODE = $(ASLR_DISABLE)
+# to explicitly disable NXSTACK, set NXSTACK_MODE = $(NXSTACK_DISABLE)
+# to explicitly disable NXHEAP, set NXHEAP_MODE = $(NXHEAP_DISABLE)
# in that component's Makefile
LD_Z_ASLR = $(ASLR_MODE)
+LD_Z_NXSTACK = $(NXSTACK_MODE)
+LD_Z_NXHEAP = $(NXHEAP_MODE)
+
+# by default, ADIHEAP and ADISTACK are opt-in.
+# to explicitly enable ADIHEAP, set ADIHEAP_MODE = $(ADIHEAP_ENABLE)
+# to explicitly disable ADIHEAP, set ADIHEAP_MODE = $(ADIHEAP_DISABLE)
+# to explicitly enable ADISTACK, set ADISTACK_MODE = $(ADISTACK_ENABLE)
+# to explicitly disable ADISTACK, set ADISTACK_MODE = $(ADISTACK_DISABLE)
+#
+# ADIHEAP and ADISTACK are not supported on Solaris 11.
+#
+ifneq ($(OS_VERSION), 5.11)
+LD_Z_ADIHEAP = $(ADIHEAP_MODE)
+LD_Z_ADISTACK = $(ADISTACK_MODE)
+endif
#
# More Solaris linker flags that we want to be sure that everyone gets. This
@@ -1030,10 +1105,6 @@
# turned off by adding FEATURE_MACRO= to the component Makefile.
#
-# Create a non-executable stack when linking.
-LD_MAP_NOEXSTK.i386 = -M /usr/lib/ld/map.noexstk
-LD_MAP_NOEXSTK.sparc = -M /usr/lib/ld/map.noexstk
-
# Create a non-executable bss segment when linking.
LD_MAP_NOEXBSS.i386 = -M /usr/lib/ld/map.noexbss
LD_MAP_NOEXBSS.sparc = -M /usr/lib/ld/map.noexbss
@@ -1053,21 +1124,32 @@
# Default linker options that everyone should get. Do not add additional
# libraries to this macro, as it will apply to everything linked during the
# component build.
-LD_OPTIONS += $(LD_MAP_NOEXSTK.$(MACH)) $(LD_MAP_NOEXDATA.$(MACH)) \
+LD_OPTIONS += $(LD_MAP_NOEXDATA.$(MACH)) \
$(LD_MAP_PAGEALIGN) $(LD_B_DIRECT) $(LD_Z_IGNORE) \
$(LD_Z_STRIP_CLASS)
+LD_SECEXT_OPTIONS.sparc = $(LD_Z_ADIHEAP) $(LD_Z_ADISTACK)
+LD_SECEXT_OPTIONS = $(LD_Z_ASLR) $(LD_Z_NXSTACK) $(LD_Z_NXHEAP) \
+ $(LD_SECEXT_OPTIONS.$(MACH))
+
# only used on executables
-LD_EXEC_OPTIONS = $(LD_Z_ASLR)
+# executables can be ET_EXEC or ET_DYN (PIE). LD_EXEC_OPTIONS and
+# LD_PIE_OPTIONS apply respectively. A small trick is used to link
+# binaries with -ztype=pie, by passing it on the LD_EXEC_OPTIONS list.
+LD_EXEC_OPTIONS = $(LD_Z_PIE_MODE) $(LD_SECEXT_OPTIONS)
+LD_PIE_OPTIONS = $(LD_SECEXT_OPTIONS)
+
# Environment variables and arguments passed into the build and install
# environment(s). These are the initial settings.
COMPONENT_BUILD_ENV= \
LD_OPTIONS="$(LD_OPTIONS)" \
- LD_EXEC_OPTIONS="$(LD_EXEC_OPTIONS)"
+ LD_EXEC_OPTIONS="$(LD_EXEC_OPTIONS)"\
+ LD_PIE_OPTIONS="$(LD_PIE_OPTIONS)"\
COMPONENT_INSTALL_ENV= \
LD_OPTIONS="$(LD_OPTIONS)" \
- LD_EXEC_OPTIONS="$(LD_EXEC_OPTIONS)"
+ LD_EXEC_OPTIONS="$(LD_EXEC_OPTIONS)"\
+ LD_PIE_OPTIONS="$(LD_PIE_OPTIONS)"\
# Add any bit-specific settings
COMPONENT_BUILD_ENV += $(COMPONENT_BUILD_ENV.$(BITS))